alt Hacker NewsI've seen but haven't used CEL. Anybody with experience with competing tech have any strong opinions? I've used OPA, know CEL used by GCP and Kyverno, but otherwise haven't seen anything compelling enough to move away from the OPA ecosystem.
Replies
isacikgoz • today at 3:21 PM
I think apples to apples comparison would be comparing against Rego. To me CEL is more appealing due to its simplicity.
➕ show 2 replies
mtrimpe • today at 3:21 PM
CEL is much more computationally limited as it aims to keep evaluations in the microsecond range.
With OPA you can easily create policies that take tens, hundreds or even thousands of millisecond.
That comes at the expense of a lot of power though, so much of the complex logic that you can write in OPA simply isn't achievable in CEL.
The kubernetes apiserver allows using CEL in CustomResourceDefinition validation rules: - https://kubernetes.io/docs/reference/using-api/cel/ - https://kubernetes.io/docs/tasks/extend-kubernetes/custom-re...
It also allows using CEL in ValidatingAdmissionPolicies: - https://kubernetes.io/docs/reference/access-authn-authz/vali...